Security Week 45: Ether has frozen in wallets, a million fake WhatsApps, useless protection of intellectual property

In the world of fans of blockchain technology everything is very simple and safe. Still, the blockchain is so reliable in itself that it does not require a regulator in the person of the state, nor banks, or other superstructures to ensure any financial transactions. We will not argue that technology is devoid of many of the shortcomings and vulnerabilities of the old world. But this does not mean that she has her own weak points, which were previously impossible to imagine. In general, this is the case: because of the vulnerability found in the popular Ethereum-wallet Parity, funds in cryptocurrency turned out to be frozen, which, according to various estimates, are equivalent to 150-300 million US dollars.

How did it happen? The user devops199 informed about the possibility to destroy the Parity Wallet library , which made all multi-sig wallets using it inaccessible. From the point of view of Ethereum, there is no difference between accounts, libraries or contracts (all these are programs). Parity has no owner. devops199 turned it into a wallet, became the owner, and then deleted it. Allegedly by chance (believe-believe). After that, all the multi-signature wallets that were tied to this library became inaccessible.

The most interesting thing is that quite recently, on July 19, Parity already had a vulnerability in Parity’s wallets, which allowed them to steal around $ 30 million. Then only three purses were compromised, the company quickly released a new version of the library and seemed to fix everything. As you can see - not all. The current problem does not lead to the loss of funds, but the fact of loss of control over them is also not happy. So, one of the victims was the start-up Polkadot, which in the middle of October spent ICO and collected $ 145 million. 98 of them are now frozen in the Parity wallet.
')
Ethereum developers reassured everyone that the problem found did not concern the network as a whole, but “only” the smart contract codes written over the blockchain. But Ethereum smart contracts cannot be changed after activation. At all. Totally. This is the root feature of the blockchain. And if so - you can not change the bugs contained in them. So, most likely, hardfork of the entire Ethereum network will be required to fix the problem.
The problem with hard forks is that not always the whole community agrees to accept it. As we know, as a result of this, we already have Ethereum and Ethereum Classic, and no one is insured against subsequent crushing. And, as the reader of the post at ThreatPost noted , this is why he prefers to use physical wallets rather than soft wallets.

Million fake whatsapps

If you put in Google Play something that echoes the design and name of a popular application, you can safely count on a number of installations by mistake. Sometimes hundreds, sometimes thousands. And if you cleverly mimic a real hit, you can collect the harvest more abundantly. So, this week, the WhatsApp Messenger Update application was removed from Google Play, which managed to collect a million (!) Downloads .
In itself, this application is little skilled and has minimal rights (only access to the Internet), but it downloaded from somewhere on a short link whatsapp.apk application. After this Update, WhatsApp Messenger tried not to shine once again, even without a name and icon for the desktop.

After Google warned of a strange application, the latter was removed from Play, and the account of its developer was blocked. But here one more piquant detail is found: this very developer was listed ... "WhatsApp Inc. ". Notice the difference? Yes, exactly - an extra space after the name. The developer used the C2A0 code, the so-called non-breaking space, which was not identified as such by Google’s automatic filters.

In May 2017, the Play Protect system was launched, which regularly scans in-store applications for malware and has a peak performance of 50 billion applications per day. In theory, it should prevent the appearance of "wrappers" in Google Play, downloading APK from where it is not clear. But it seems that man is still more cunning than robots, no matter how expensive they are.

It is worth noting that this is not the first time that unscrupulous developers use Unicode characters to trick Google. Just three weeks ago, in a similar way, the fake AdBlock Plus plugin was abandoned in the store, which, before detection and elimination, had time to download 37 thousand times. There in the title was used a Cyrillic symbol that passed through Google filters, like a red-hot knife through a piece of butter. No matter how Unicode in Play is banned in principle. Out of harm's way ...

Welcome to our secrets!

The US Department of Homeland Security is sounding the alarm. According to an academic study, the P1735 standard, developed by the Institute of Electrical and Electronics Engineers to protect the copyright of software and hardware products, is not as reliable as it seemed before.

IEEE P1735 allows different manufacturers to create joint products without disclosing to each other all the details of products and technologies. And, thus, to protect their own achievements from reverse engineering and theft. Thanks to IEEE P1735, the code of different companies can function together, while remaining encrypted.

US-CERT (US Emergency Readiness Computer Team) reports that the encryption methods used in the standard are not perfect, and with an unfavorable scenario, they create attack vectors that allow access to intellectual property in an unencrypted form. IEEE P1735 implementations may not be robust against cryptographic attacks, which, among other things, opens up access to intellectual property without an encryption key.

Holes in the protection of the first to notice the scientists of the University of Florida. They wrote about this in detail in the article “Standardizing Bad Cryptographic Practices” (Standardizing Bad Cryptographic Practice, carefully PDF ). A total of seven vulnerabilities were rated with a CVSS (Common Vulnerability Scoring System) rating from 5.7 to 6.3 points out of 10.

Among them:

• Incorrect description of padding in Cipher block chaining mode, which allows to use electronic design automation tools (CAD) as an oracle to decrypt;
• Incorrect hardware description language (HDL) syntax, allowing CAD to be used as an oracle to decrypt;
• modification of encrypted intellectual property data for the introduction of hardware Trojans;
• Replacing the license-deny response to the license grant;
• And others (the full list on the link ).

The IEEE P1735 standard is implemented by the Synopsys CAD system developer in the Synplify Premier development and debugging environment. But the problem can manifest itself in the products of other vendors, in particular, Cadence Design Systems, Mentor Graphics, Xilinx and Zuken.

Modern software and electronic products are so complex that often they simply can not be done alone. It is necessary to cooperate, but oh, I don’t want to share secrets even with a proven partner. The IEEE P1735 standard was considered a panacea, but, as we can see, there are gaps in it. Moreover, according to researchers, the systemic gaps that are not amenable to treatment with simple patches. As the plumber, who won the contest of dissidents, said, "Here you do not have a gasket, but you need to change the whole system!"

Antiquities

End-of
Resident innocuous virus, is standardly written to the .COM files of the current directory when you call the DOS ChDir function. At the end of the infected files you can find the string "end-of". When initializing its TSR-copy, it tries to go to the “ZhMOB” directory. Intercepts int 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.